← Integrations

Automated SSL certificate renewal for Palo Alto

Palo Alto firewalls won't update a renewed certificate on their own. CertKit will.

Palo Alto firewalls bind to named certificates in PAN-OS. When a certificate renews, the binding doesn't refresh until someone imports the new PEM + key via the GUI or XML API and commits the configuration. Every 47 days. On every firewall in your fleet.

CertKit centralizes certificate issuance and renewal, then pushes updated certificates to your Palo Alto devices automatically via the CertKit Agent and PAN-OS XML API.

Start free trial Watch demo

Built for Palo Alto

The pre-built Palo Alto deployment template ships in your CertKit account. No scripting required.

The CertKit Agent runs the deployment automatically on every renewal. It requests a fresh XML API key, uploads the renewed certificate and key, and commits the configuration. No GUI clicks, no manual scp, no waiting on the next maintenance window.

The pre-built Palo Alto template ships with your CertKit account. Configure the firewall hostname, API credentials, and certificate name once. CertKit handles every renewal after that.

How it works

 Your network            CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│  ┌─────────────┐  │     │                  │    │             │
│  │Deploy Agent │◄─┼─────┤  Issue & Renew   │◄──►│             │
│  └──┬────┬─────┘  │     │   Certificates   │    │             │
│     │    │ XML    │     │                ┌───┐  └─────────────┘
│     │    │ API    │     └───────────┬────│DNS│
│     ▼    ▼        │                 │    └───┘
│ ┌──────────────┐  │                 │
│ │ Palo Alto    │  │                 │
│ │ [x] Imported │  │ ◄───────────────┘
│ │ [x] Committed│  │       Verify
│ └──────────────┘  │
└───────────────────┘

CertKit issues and renews certificates centrally in the cloud using delegated DNS validation. You create a one-time CNAME record; CertKit handles every ACME challenge after that.

The deploy agent is a small service you run on a host inside your network. It makes an outbound HTTPS connection to CertKit to pull each renewed certificate, then talks to PAN-OS over the XML API on your LAN to import the certificate and key and commit the configuration. The firewall never talks to CertKit or the public internet directly, never runs ACME, needs no port 80 open, and never stores DNS credentials. One deploy agent can reach every Palo Alto and other appliance on that network, so there's nothing to install on the firewalls themselves.

CertKit has transformed how Belden manages SSL certificate issuance, delivering a streamlined process that dramatically reduced both cost and complexity. Their solution has been a clear win for our organization.

Ryan Buckner, IT Infrastructure Analyst, Belden

What CertKit handles

Setup takes about ten minutes

  1. Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
  2. Create a PAN-OS API user. A scoped account with Commit and Import permissions is all CertKit needs. No root, no superuser.
  3. Install the CertKit Agent. One command on any Windows or Linux host with HTTPS reachability to the firewall. The agent runs as a background service and needs no inbound firewall rules.
  4. Add the Palo Alto deployment script. The pre-built template is in your account. Set your firewall hostname, API credentials, and certificate name. CertKit runs it on every renewal.

See the full architecture →

Why not import certificates manually?

The standard PAN-OS renewal workflow is a GUI sequence: Device → Certificate Management → Certificates → Import → upload the PEM and key → click Commit. That works once. Run it manually on a pair of HA firewalls plus a Panorama-managed fleet every 47 days and it becomes a source of outages, missed commits, wrong certificate names, expired bindings on GlobalProtect at 3am.

Running ACME directly on a firewall isn't really an option. Public CAs require HTTP-01 or DNS-01 validation, and neither is appropriate for a hardened security appliance. Storing DNS provider credentials on a firewall is a privilege escalation waiting to happen. Opening port 80 to the public on a perimeter device is worse.

CertKit uses delegated DNS validation handled centrally, so no firewall needs port 80 open or DNS credentials on disk. It issues once and the agent handles distribution via the XML API. There is no per-device ACME configuration and no shared folder to maintain.

Palo Alto is just one part of your network edge

Most networks have more than one place where TLS certificates live: F5 load balancers, VPN concentrators, web servers, and other firewall vendors like Fortinet and SonicWall. CertKit automates all of it from one account.

See all integrations

Start automating Palo Alto certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing